What the vulnerability does
01Description
The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to privilege escalation in all versions up to, and including, 1.6.26. This is due to insufficient role restrictions in the 'process_register' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.
Explanation of Vulnerability in Simple Terms
02Summary
WP RealEstate versions 1.6.26 and earlier contain a privilege management flaw that allows unauthenticated attackers to gain full control of the site without user interaction. The vulnerability affects all versions from release, and no patch information is currently available. Site administrators should immediately disable the plugin and contact ApusThemes for a security update.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete any site data; run their own code on the site; create admin accounts.
Potential impact on your site
04Site Impact
Complete compromise of the WordPress site, including data theft, malware injection, and loss of admin control.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 1, 2025
CVE published
April 8, 2026
Record updated